Improving Jitsi Authentication

Hello dear Jitsi Community,

I am a developer at Apitech (https://apitech.net/), a company which has been working on Jitsi-based projects for the past 5 years. We now have quite an expertise on Jitsi’s whole ecosystem and we would like to contribute by developing a feature that would benefit a lot of people.

Here’s the idea : today, we can use JWT authentication (thanks to Prosody) for newly created conferences. We would like to add a component, to enhance authentication and open the way to many auth possibilities, without breaking any existing thing. That component would communicate with Jitsi on one side, and with an authentication provider (OIDC, OAuth, SAML, CAS, whatever you like !) on the other side, but would always return a JWT to Jitsi ! It would also allow users to get information from their SSO into Jitsi (nickname, avatar, moderator role, …), using the JWT.

Here’s a graphical explanation of these interactions between components

Here’s how it could look like on Jitsi windows

Here’s what the config.js could look like :

I’m sharing that post with you to have your thoughts on a feature like that, but also your ideas and improvements. It’s not a “regular” feature request, as we are ready to do that implementation ourselves, if enough people are interested.

The idea is to make this component as open as possible, to allow people to add their authentication methods. Of course, we would have to develop something that can also works for mobile clients.

Thanks in advance for your thoughts and support ! :slightly_smiling_face:

6 Likes

Good stuff!

I think we have the initial bits in already, but it’s not a code path which is very visible or tested. There is an (sadly) undocumented setting called tokenAuthUrl which will open a window to authenticate with a service and then get back a JWT.

So your service would need to implement the multiple auth flows and just return a JWT Jitsi likes.

AFAIK KeyCloak can do this already with some glue: GitHub - d3473r/jitsi-keycloak: Login to jitsi with keycloak https://hub.docker.com/r/d3473r/jitsi-keycloak

Now, this doesn’t work on mobile, for example, so we could definitely use some help there!

4 Likes

Nice. Great stuff, thanks.

I’m also working on adding authentication via blockchain and DIDs, not just the classic centralized services

1 Like

Looking forward the extra buzzword compliance :stuck_out_tongue:

3 Likes